Public Exploit Modules Available for Cisco Prime Infrastructure Vulnerability

Users of Cisco Prime Infrastructure Software are urged to update to the latest version to address one of two vulnerabilities that, when chained, could lead to remote code execution with system-level permissions.

Background

Cisco released an advisory for CVE-2018-15379, an arbitrary file upload and command execution vulnerability for its Cisco Prime Infrastructure (CPI) software. The CPI management software is designed to allow businesses to manage their network device configurations all in one place, rather than individually by device. CPI also offers integration with Cisco Identity Services Engine (ISE) and location-based tracking through the Cisco Mobility Services Engine (MSE).

Vulnerability details

The CPI management tool has two vulnerabilities that, when exploited in tandem, could allow remote code execution. Pedro Ribeiro of Agile Information Security released a Proof of Concept (PoC) that outlines exploitation in greater detail. The researcher also states that exploit modules are publicly available for this vulnerability.

An attacker can first upload a JavaServer Page (JSP) web shell file using a Trivial File Transfer Protocol (TFTP) client to the /localdisk/tftp/ directory through the default TFTP port (port 69) to gain a shell as the "prime" user, which is unprivileged. From there, an attacker can inject commands through an unsanitized portion of the /opt/CSCOlumos/bin/runrshell binary to gain root access in their open shell.

Tenable researchers were also easily able to establish a web shell that accepted command input on a CPI target running version 3.2 in our lab. A standard id command displayed the status of the current user:

However, the privilege escalation can be easily demonstrated with this command:

Urgently required actions

Cisco has available workarounds, such as disabling the TFTP server listed in their advisory. However, we suggest updating to the fixed version (3.4.1) provided by Cisco. An important note is that this fix only addresses the TFTP file upload vulnerability. If an attacker were to gain access to the host in some other fashion that allows them to invoke the unsanitized binary, then the code execution vulnerability would still be exploitable.

Instructions for updating Cisco Prime Infrastructure Software are included in the advisory.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability can be found here.

Global

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Thank You

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Thank You

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Thank You

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

Learn More about Industrial Security

Try Tenable.io free for 60 days. Protect your organization from WannaCry, NotPetya and other ransomware cyberattacks. Get Started

The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.